<br><div class="gmail_quote"><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">3. Security team takes a copy of the currently vulnerable code and
<br>checks it into <a href="http://cvs-security.drupal.org" target="_blank">cvs-security.drupal.org</a> at modules/foobar. Creates a CVS<br>account for developer and gives them access to their module's directory<br>only.
</blockquote></div><br clear="all">This is the part that is of concern to me.<br><br>First, is it scalable? It requires significant security team's manpower.<br><br>Second, a snapshot can get stale vs. the code at cvs.d.o
, and all sorts of<br>interesting stuff can happen.<br><br>Third, back synching the cvs-security.d.o to cvs.d.o after the SA process <br>is done is a lot of work, and could introduce errors.<br><br>Sorry, I don't want to sound too negative, but the security team is overloaded
<br>as it is. The rest of your proposal makes sense, and does have lots of benefits.<br>-- <br>Khalid M. Baheyeldin<br><a href="http://2bits.com">2bits.com</a>, Inc.<br><a href="http://2bits.com">http://2bits.com</a><br>Drupal optimization, development, customization and consulting.